{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-50001", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-06-11T16:08:03.196Z", "datePublished": "2026-03-19T08:07:39.900Z", "dateUpdated": "2026-04-01T15:55:56.480Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "td-composer", "product": "tagDiv Composer", "vendor": "tagDiv", "versions": [{"changes": [{"at": "5.4.3", "status": "unaffected"}], "lessThanOrEqual": "5.4.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:41:26.846Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer allows Reflected XSS.<p>This issue affects tagDiv Composer: from n/a through <= 5.4.2.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer allows Reflected XSS.This issue affects tagDiv Composer: from n/a through <= 5.4.2."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T15:55:56.480Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/td-composer/vulnerability/wordpress-tagdiv-composer-plugin-5-4-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress tagDiv Composer plugin <= 5.4.2 - Reflected Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T13:42:59.152166Z", "id": "CVE-2025-50001", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T13:43:35.476Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-50001", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-19T13:42:59.152166Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T13:43:10.907Z"}}], "cna": {"title": "WordPress tagDiv Composer plugin <= 5.4.2 - Reflected Cross Site Scripting (XSS) vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "CAPEC-591 Reflected XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "tagDiv", "product": "tagDiv Composer", "versions": [{"status": "affected", "changes": [{"at": "5.4.3", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "5.4.2"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update the WordPress tagDiv Composer Plugin to the latest available version (at least 5.4.3).", "supportingMedia": [{"type": "text/html", "value": "Update the WordPress tagDiv Composer Plugin to the latest available version (at least 5.4.3).", "base64": false}]}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/td-composer/vulnerability/wordpress-tagdiv-composer-plugin-5-4-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer allows Reflected XSS.This issue affects tagDiv Composer: from n/a through 5.4.2.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer allows Reflected XSS.<p>This issue affects tagDiv Composer: from n/a through 5.4.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-19T08:07:39.900Z"}}}, "cveMetadata": {"cveId": "CVE-2025-50001", "state": "PUBLISHED", "dateUpdated": "2026-03-19T13:43:35.476Z", "dateReserved": "2025-06-11T16:08:03.196Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-19T08:07:39.900Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer allows Reflected XSS.This issue affects tagDiv Composer: from n/a through <= 5.4.2."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') vulnerabilidad en tagDiv tagDiv Composer permite XSS Reflejado. Este problema afecta a tagDiv Composer: desde n/a hasta 5.4.2."}], "id": "CVE-2025-50001", "lastModified": "2026-04-01T17:25:29.490", "metrics": {}, "published": "2026-03-19T09:16:15.683", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/td-composer/vulnerability/wordpress-tagdiv-composer-plugin-5-4-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.4.2]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.4.3,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "tagDiv Composer", "source": "cna", "vendor": "tagDiv"}, "product": "tagdiv_composer", "vendor": "tagdiv"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-02T03:38:08.203714+00:00", "value": {"mitigation_remediation": ["Apply the latest tagDiv Composer update, version 5.4.3 or newer.", "Confirm current plugin version and upgrade any installations older than 5.4.2.", "If an update is not possible, disable or delete the tagDiv Composer plugin to remove the attack vector.", "Deploy a web\u2011application firewall or security plugin that blocks reflected XSS input as a temporary protective measure."], "summary": {"action": "Patch", "impact": "Cross\u2011site scripting"}, "threat_synthesis": {"affected_systems": "All WordPress sites running the tagDiv Composer plugin up to and including version 5.4.2 are affected. Versions prior to the earliest release (i.e., any available installation of the plugin) are also vulnerable until the patch is applied. The issue does not apply to versions 5.4.3 and later.", "description_and_impact": "An input validation flaw in the tagDiv Composer WordPress plugin allows attackers to embed malicious scripts that are reflected back in the page. The vulnerability is a classic reflected XSS (CWE\u201179) and enables client\u2011side code execution, which can lead to session hijacking, data theft, or malicious site manipulation if a user visits a crafted URL or submits a covert form.", "risk_and_exploitability": "The risk is moderated by the low likelihood of exploitation, with an indicated probability below 1%. Although the flaw is remotely exploitable via a crafted request, it requires the victim to visit or interact with a vulnerable page. It is not listed among the CISA Known Exploited Vulnerabilities catalog, indicating no known widespread exploitation."}}}}, "created": "2026-03-20T08:57:11.975484+00:00", "updated": "2026-04-02T07:59:55.612496+00:00", "vendors": ["tagdiv", "tagdiv$PRODUCT$tagdiv_composer", "wordpress", "wordpress$PRODUCT$wordpress"]}